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MOBILE NETWORK SECURITY SYSTEM 



FIELD AND BACKGROUHD OF THE INVENTION 

The present invention relates to cellvdar net\\'ork technology and, more particularly, to a 
5 system and method to provide secimty to mobile data communications networks. 

Pin ipg the last twenty years commxinications network technology has vmdargone two 
major traids. One trend has beeai a revolutionary increase in data communications, and 
particular in data communications in networks based on IntOTiet protocol (JP). The second 
major trend has been a dramatic inraease in the use of mobile telephone networks includmg 

10 cellular networks and mobile personal communications networks. SevMal competing 
technologies and standards have arisen for cellular mobile communications. Like wired 
telephone service, (sometimes known as POTS, "plain old telephone service"), first and second 
gaieration mobile communications networks are circuit switched, ie. a circuit or channel is 
open during the time of a conversation and the open circuit is closed at the end of a 

15 conversation- Data networks, such as those based on IP protocol are packet switched. Data is 
divided into packets, each packet includes a header with an address and routing of the data 
packets through the netv^'ork is based on the address contained in the header. 

Circuit switched networks while appropriate for voice communications in both wired 
and mobile telephone networks, are not appropriate for the efficient transport of data. 

20 Therefore, there has been considerable effort during the past several years to incorporate 
packet switched data communications within the infirastructure of existing mobile telephone 
technologies. One such development is known as "Global Packet Radio Services" (GPRS) 
being developed for the cellular network standard known as GSM, "Global System for Mobile 
Communications'*. 

25 GPRS is an emerging standard for generation 2+ GSM cellular networks and is also an 

essential step towards third generation mobile network (UMTS) that are entirely packet 
switdied, including voice channels being carried ovet IP. GPRS provides an efficient usage of 
the GSM radio interfece because a number of mobile telephones can share a single radio 
channeL A simplified drawing of a GPRS network 10 is shown in Figure 1. Referring now to 

30 Figure 1, a mobile station 101 is in duplex wireless communication with a base transceiver 
station (BTS) 103. Typically, a group of base transceiver stations (BTS) 103 is controlled by a 
single base station controller (BSC) 104. Both base transceiver station (BTS) 103 and base 
station controller (BSC) 104 handle both conventional circuit switched communications, e.g. 
voice, as well as packet switch data commimications. For circuit switched communications. 



wo 2005/076726 



PCT/IL2004/000942 



2 

base station controller (BSC) 104 pro\ddes a channel to a mobile switching center (not diown). 
For packet sv^itch data communications, GPRS network 10 incltides several network elemraits 
known as OPRS support nodes (GSN). Specifically, a serving DSN (SGSN) 105 is connected 
to base station controller (BSC) 104. SGSN 105 forwards incoming and outgoing IP packets 
5 addressed to and from mobile station 101 that is attached within the control area of SGSN 105. 
SGSN 105 also provides packet routing transfer outside the control area of SGSN 105. SGSN 
105 also provides ciphering and authenticalion, session management, mobility management 
and logical link management to mobile station 101. SGSN 105 is connected to a gateway 
GPRS support node (GGSN) 111, a second primary componcaot in GPRS network 10, through 

10 a GPRS backbone 107. Gateway GPRS support node (GGSN) 111 is connected to and 
provides an inteifece to an external IP network 113. GGSN 111 acts as a router for the IP 
addresses of all subscribers served through GPRS backbone 107. A border gateway 117 
provides an interface to a public land mobile network (PLMN) 109. Typically, PLMN 109 is a 
mobile network of a diffrarent operator. Connections between different mobile networks enable 

1 5 roaming between different geographic regions. 

When a user of mobile station 101 initiates a connection to the Intanet, SGSN 105 
registers mobile station 101 by assigning a "contexf* to mobile station 101. In GPRS network 
10, the coixtext is known as GPRS packet data protocol (PDP) context and includes a mmiber 
of parameters. Some parameters are identifiers, including IMSI (Intonational Mobile 

20 Subsaiber Identity) a unique number assigned to each GPRS subsadber, an access point name 
(APN) and the phone mmiber (MSISDN) of mobile station 101. The PDP context of mobile 
station 101 is periodically updated such as when mobile station is moved out of the routing 
area of SGSN 105 into a dififerent rou t in g area. 

Wben mobile station 101 imdergoes data communications, SGSN 105 uses the 

25 information contained in the PDP context of mobile station 101, and encapsulates each data 
packet sent fiom mobile station 101 witii a refea«nce to the PDP context This technique is 
called "tunneling*'. Each tunnel includes encapsulated data packets commxmicating to and from 
serving node 105 and gateway node 111. Tbere can be several tunnels serving the same mobile 
station. When a tunnel is created a protocol context is negotiated between the two end points of 

30 the tunneU serving node 105 and gateway node 111. The protocol context is communicated to 
and from serving node 105 and gateway node 111 with signaling packets. The content of the 
context is modified during the life of the tunnel and at the end of the tunnel tiie context is 
destroyed by both sides, each tunnel data packet including a payload, a data packet that is 
coming to or from the mobile station, and a refenraice to a protocol context, the protocol 
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context includes a plurality of identifiers for tiie mobile station using the tunnel. The original 
data packet, known as Hie **payload'' remains encapsulated tbroughout the tunnel. At the end of 
the tunnel GGSN 111, for instance, removes the payload, e.g. IP packet, and transfers the data 
as an IP packet to external IP network 113. The tunneling protocol used bet\^'een SGSN 105 
5 and GGSN 111 is known as GPRS tunneling protocol (GTP). The use of GTP allows packets 
different protocols, e.g. HTTP. DNS queries, to be tunneled through GPRS backbone 107 with 
different types of traffic fi^m mobile stations 101. GTP is implemented only by GPRS st^port 
nodes SGSN 105 and GGSN 111. Other systems are unaware of GTP. 

There are many potential security threats in a mobile data network such as GPRS. 
1 0 Security threats include eavesdropping, masquerading, traffic analysis, manipulation and denial 
of service. An attacker can potentiaUy break into a mobUe data network fi:om external IP 
network 113 or firom external mobUe network PLMN 109. Mobile data networks are more 
difficult to secure than fixed data networks. In fixed data networks, thwe is generally a single 
entry point between an internal corporate network and the external network. Generally, users 
15 are trusted within the intemal local area network. In contrast, mobile users even of the same 
mobile network are not trusted users 

An operator of a mobile data network can protect GPRS backbone 107 firom some 
potential attacks originating in external IP network 113, with a conventional system such as a 
firewall or an intrusion detection system at data and signal interface 115 between GGSN 111 
20 and external IP network 113. However. GPRS backbone 107 is vuhierable to attack particularly 
from PLMN 109 especiaUy vihea a competing operator is running PLMN 109. At entry point 
to border gateway 117, conventional security systems, e.g. firewaU or intrusion detection 
systems are not appropriate for securing mohUe stations in a mobile data network because 
conventional security systems are unaware of a tunneling protocol in use. 
25 Prior art methods and systems for providing security in a mobile data network include 

Check Point® FireWall-l GX Version 2.5 and Netscreen® 500-GPRJS (Juniper Networks Inc., 
Sunnyvale, Ca.). "Check Point® FireWaU-1 GX User Guide, Version 2.5" is incorporated for 
all purposes by referaice as if fully set forth herein. 

Reference is now made to Fig 2a, a simplified drawing of a prior art security system 
30 200, e.g. Check Point® FireWall-1 GX ver 2.5. Security system 200a is connected "in-line" 
between GPRS backbone 107 and pubUc land mobile network (PLMN) 109. Security system 
200a fiirther includes a gateway interface 203, a signal and data interface connected to border 
gateway 117 and operatively connected to gateway nodes, e.g. GGSN (not shown) in PLMN 
109. Security system 200a further includes a serving interface 205, operatively connected to 
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sendng nodes 105, e.g. SGSN. Similarly^ Security system 200b is located between local GGSN 
111 and GPRS backbone 107. Security system 200c is located between SGSN 105 and the 
GPRS backbone 107. Secure mobile data network further includes a conventional jBrewall 207 
at the entry point to external IP net^^^o^k 113. 
5 Prior art security system 200 operates by monitoring the signal packets communicated 

between sendng node 105 and gateway node 111. Prior art security system 200 further reads 
the reference to the protocol context in each data packet Security system 200 verifies for 
instance that the data packet has a valid protocol context Seciirity system 200 can further 
apply a firewall policy, quality of service (QoS) and or apply a virtual private network (VPN) 

10 based on identifiers included in the protocol context However, prior art system 200 does not 
provide a security policy based on the payload carried in the data packets. On the other hand 
firewall 207 is used to apply a security policy on for instance IP packets, i.e. the payload of 
data packets in the mobile network, however, firewall 207 is imaware of the protocol context 
and therefore firewall 207 cannot apply for instance a security policy based on the telephone 

1 5 number of the mobile station. 

There is thus a need for, and it would be hi^tdy advantageous to have a system and 
method to provide security to mobile users in mobile data coramunications networks; a system 
and method that applies a security policy based on both the protocol context and the payload of 
data packets encapsulated in a tunneL 

20 

SUMMARY OF THE INrVENTION 

According to the teachings of the present invention, the method includes capturing the 
protocol context of tunneled data packets and relating the tunneled data packets to an 
appropriate stored tunnel context and assigning an appropriate tunnel profile for the tunnel 

25 context The tunnel profile is then used to apply, based on the tunnel profile: security checking, 
bandwidth manag^nent, quality of service, virtual private network, intrusion detection and 
prevention, and/or voice over Intemet protocoL 

According to the presait invaition there is provided a method for providing security in 
a mobile data network. The mobile data network includes a serving node, serving a plurality of 

30 mobile stations and imdergoing data communications wi& a gateway node. The data 
communications transfer data contained in data packets encapsulated in a tunnel by the serving 
node and gateway node. Each data packet includes a payload and a refCTence to a protocol 
context The protocol context includes identifies for each of the mobile stations using tho 
tunnel. The serving node and the gateway node fiirther communicate with each other using 
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signaling packets for the creation, updating and destruction of the tunnel. The protocol context 
of the tunnel is communicated by the signaling packets. TTie meHiod includes (a) providing a 
mobUe network security system including a serving interface operatively connected to the 
serving node, a gateway interfece operatively connected to the gateway node, a processor and a 

5 memory. The data packets and the signal packets pass through the sendng interface and the 
gateway interfece. The mobUe network security system monitors the creation, updating and 
destruction of the tunnel by monitoring the signal packets. The method further includes (b) 
reading by the processor the reference to the protocol context of one or more data packets; and 
(c) applying a policy based on a tunnel profile, thereby performing an acstion to the data 

10 packets, \^4lerein the action is based on the payload. Tb& tunnel profile is selected based on the 
identifiers carried in the protocol context Preferably, the method includes prior to applying a 
poUcy, (d) storing in the memory a tunnel context based on the protocol context, \rfierein Ae 
tunnel context includes the identifiers. Preferably, prior to applying a poUcy, the tunnel profile 
is stored in the memory. Preferably, the identifiers include an access point name, a user name 

15 and a telephone number for each of the mobile stations. Preferably, the tunnel context is 
updated upon a change in the protocol context and the modified tunnel context is stored. 
Preferably the tunnel profile is updated based on the modified tunnel context and fijrther based 
on information firom an external database. Preferably, tiie external database is included in an 
external Systran such as fraud management systems, charge and billing systems, account 

20 management and/or authentication servers. Preferably, applying a poUcy provides a service 
such as security checking, bandwidth management, quaHty of service, virtual private network, 
extended security checkmg, intrusion detection and prevention, and voice over Internet 
protocol, wherein said service is selected based on said tunnel profile, and the s€avice is 
selected based on the tunnel profile. Preferably, the service is differentiated respectively to 

25 each of the mobile stations based on the tunnel profile. 

According to the present invention there is provided a method for providing security in 
a mobile data network. The network includes a serving node that serves mobile stations and 
undCTgoes data communications with a gateway node. The data communications transfer data 
contained in data packets encapsulated in a tunnel by the serving node and tiie gateway node. 

30 Each data packet includes a payload and a reference to a protocol context for each of the 
mobUe stations using the tunneL TTie serving node and gateway node fiirther communicate 
with each otha- using signaling packets for the creation, updating and destruction of the tunnel 
The protocol context of the tunnel is communicated by the signaling packets. The metiiod 
includes (a) providing a mobile network security system. The mobDe network security system 
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includes an interface to the mobile data network, a processor and a memory. The mobile 
netv^'ork security system monitors the creation, updating and destruction of the tunnel by 
monitoring the signal packets. The method further includes reading by the processor the 
reference to the protocol context; and (c) querying by a management system for information 
5 stored in the protocol context 

According to the present invCTtion there is provided a method for providing security in 
a mobile data network including a serving node serving a plurality of mobUe stations and 
undergoing data communications with a gateway node. TTie data communications transfer data 
contained in data packets encapsulated in a tunnel by the serving node and gateway node. Each 

10 data packet includes ai payload and a reference to a protocol context. The* protocol context 
includes a plurality of identifiers for each of the mobile stations using the tunnel. TTie serving 
node and gateway node further communicate with each other using signaling packets for the 
creation, updating and destruction of the tunnel. The protocol context of the tuimel is 
communicated by the signaling packets. The method includes (a) providing a mobile network 

15 security system. The system includes an tnterfece to the mobile data network, a processor and a 
memory. The mobile network security system monitors the creation^ updating and destruction 
of flie tunnel by monitoring the signal packets. The method further includes (b) reading by the 
processor the reference to the protocol context; and (c) sending commands to destroy the data 
packets of the tunnel when the tunnel is in use by an unauthorized mobile station- The data 

20 packets are identified based on the protocol context 

According to the present invention there is provided a system that provides security in a 
mobile data network. The network includes a serving node, serving a plurality of mobile 
stations and undergoing data communications with a gateway node. The data communications 
transfer data contained in data packets encapsulated in a tunnel by the serving node and 

25 gateway node. Each data packet includes a payload and a reference to a protocol context The 
protocol context includes a plurality of idratifiers for each of the mobile stations using the 
tunnel. The serving node and the gateway node fiurther communicate with each otiier using 
signaling packets for the creation, updating and destruction of ttxe tunneL The protocol context 
of the tunnel is communicated by the signaling padcets, the system includes a serving interface 

30 operatively coimected to the serving node; (b) a gateway interface opCTatively connected to the 
gateway node; wherein the data packets and signaling packets pass through the serving 
int^ace and the gateway interface; (c) a processor which reads the reference to tiie protocol 
context of at least one of said data packets; and (d) a memory mechanism. The processor 
selects a policy based on a tunnel profile previously stored with the memory mechanism; the 
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processor thereby performs an action to the data packets, wherein Ae action is based on the. 
pa3'load. The tunnel profile is selected based one or more identifiers carried in the protocol 
context Preferably, the memory mechanism further stores a tunnel context based on the 
protocol context, wherein the tunnel context includes one or identifiers. Preferably, the system 

5 further includes (e) a management interface, operatively connected to a management system 
for querying infonnation stored in the tunnel context Preferably, the identifiers include an 
access point name, a user name and a telephone number of the mobile station. Preferably, the 
processor updates the tunnel context based on a change of the protocol context, and thereby 
stores with the memory mechanism a modified tunnel context, and the processor vpdates the 

10 tunnel profile based on the modified tunnel context Preferably, the processor updates the 
tunnel context based on the mobile station roaming to a second serving node. Preferably, the 
processor destroys a tunnel context by commanding a serving node or a gateway node to 
destroy the tunnel. Preferably, the system fimher mcludes an external database, wherein the 
tunnel profile is further based on information fix>m the external data base. Preferably, the 

15 external database is included in an external system such as fiaud management systems, charge 
and billing systems, account management systems and auflientication serves. Preferably, the 
policy provides a service including security checking, bandwidth management, quaUty of 
service, virtual private network, extended security checking, intrusion detection and prevention 
and voice over Internet protocol. The service is selected based on the tunnel profile; wherein 

20 the service is difierentiateci respectively to each of the mobile stations based on the tunnel 
profiles. 

According to the present invention there is provided a method for providing security 
during roaming and handofif fi-om a first mobile data network to a second mobile data network. 
Each network includes a serving node, serving a plurality of mobile stations and undergomg 

25 data communications with a gateway node. The data communications transfer data contained in 
data packets encsq)sulated in a tunnel by the serving node and gateway node. Each data packet 
includes a payload and a reference to a protocol context The protocol context includes 
identifiers for each of flie mobile stations usmg the tunneL The serving node and gateway node 
further communicate with eadi other using a pluraHty of signaling packets for the creation, 

30 tJ5>dating and destruction of the tunnel. The protocol context of the tunnel is communicated by 
the signaling packets. The method includes (a) providing a first mobile network security 
system to the first mobile data network and fiirther providing a second mobile network security 
system to the second mobile data network, each security system includes a serving interfece 
operatively connected to the serving node, a gateway interfece operatively connected to the 
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gateway node, a processor and a memory. The data packets and the signal packets pass liirough 
the sendng interface and the gateway interface, wherein the first and second mobile network 
security system monitor the creation, updating and destruction of the tunnel by monitoring the 
signal packets. The method further inclxades (b) reading the reference to the protocol context of 
5 at least one of the data packets by the processor of the first mobile security system; and (c) 
storing a tunnel context based on the protocol context in the memory of the first mobile 
security system, wherein the tunnel context includes the identifiers; and (d) transferring the 
tunnel context td the second mobile network secimty system thereby protecting the second 
mobile data network wherein the mobile station associated with the tunnel context roams to the 

10 second mobile data network. Pref«ably, transferring the tunnel context occxirs prior to the 
hand-ofiF fit>m the first mobile data network to the second mobile data network. 

According to the present invention there is provided, a method for providing security in 
a mobile data network including a serving node, ser\dng a plurality of mobile stations and 
undergoing d ^ta communications with a gateway node. The data communications transfer data 

15 contained in data packets encapsulated in a tunnel by the serving node and gateway node. Each 
data packet includes a payload and a reference to a protocol context; the protocol context 
includes identifiers for each of the mobile stations using the tunnel. The serving node and 
gateway node further cormnunicate with each other using signaling packets for the creation, 
updating and destruction of the tunnel. The protocol context of the tunnel is communicated by 

20 the signaling packets, the method includes (a) providing a mobile network security system 
including an interface to the mobile data network, a processor and a memory. The mobile 
network security system monitors the creation, updating and destruction of the tuimel by 
monitoring the signal packets. The method further includes (b) reading by the processor the 
reference to the protocol context and the payload of the data packets; and (c) applying a policy, 

25 thereby performing an action the data packets, whaein the action is based on the payload, and 
is selected based on one or more identifiers carried in tiie protocol context 

According to the present invention fliere is provided a program storage device readable 
by a machine tangibly embodying a program of instructions executable by the machine for 
implementing the methods of the present invention described herein. 

30 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is herein desadbed, by way of example only, with reference to the 
accompanying drawings, wherein: 

FIG. 1 is a drawing of a prior art mobile data network; 
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FIG. 2a is a simplified schematic dra-WTUig of a mobile data networic wth a prior art 
security system accordiag to an embodiment of the present invention; 

FIG. 2b is a simplified schematic drawing of a mobile data network with a security 
Systran according to an embodiment of the present invention; 
5 FIG. 3 is a simplified flow diagram of a system and method for securing mobile data 

networics, the mefliod according an embodiment of the present invention; 

FIG. 4 is a simplified flow diagram of a method for securing mobile data networks, the 
method according to an anbodiment of the present invention; 

FIG. 5 is a simplified schematic diagram showing a security system integrated with 
10 mobility management, according to an embodiment of the present invention- 

nRRCRTPTION OF THE PREFERRED EhffiODIMENTS 

The present invaition is of a system and method for providing security to mobile data 
communications networks. Specifically, the present invention provides security oaforcement 

15 while the mobile trafBc payload is still encapsulated allowing ^plying different policies for 
different contexts based on the payload. 

The present invention is used to pro\'ide sectirity between and within mobile data 
communications networks and between mobile data conomunications networks operated by 
different operators by applying a security policy based on protocol context and the 

20 encapsulated payload. The present invention also provides additional security firom attacks 
from a wired network, e.g. Internet, since a traditional firewall is not eqmpped to prevent 
attacks on mobile users. The present invention is used to grade the networking service that a 
mobile station receives e.g. quality of service (QoS), virtual private network (VPN), extra 
security services, voice over IP (VoIP) or to limit the usage of certain network protocols by 

25 some usos. 

The principles and operation of a system and method for providing securi^ to mobile 
data communications networics, according to the present invaition may be betta: understood 
with refCTcnce to the drawings and the accompanying description. 

The discussion herein relates primarily to a system configured "in-line" that op&as data. 
30 packets ©ac^sulated in a tunnel, subsequently reconstructs the data padcets and sends than to 
their respective destinations. Allhougji the discussion herein related primarily to an "in-line" 
syston the present invention may, by non-limiting example, alternatively or additionally be 
configured in a "sniffing mode", i.e. copying and opening data packets and sendmg requests, 
for instance to block a mobile iiser, to the saving nodes 105 and gateway nodes 111 without 
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directly mediating the conimiirdcations between the serving nodes 105 and gateway nodes 111. 
Alternatively, according to some embodiments the method of the present invention is 
performed with multiple systems 201. For instance one or more systems 201 function to 
capture the protocol context e.g. from signaling packets and other systems 201 use the context 
5 to apply a specific policy. 

Before explaining embodiments of the invention in detail, it is to be understood that the 
invention is not limited in its application to the details of construction and the arrangement of 
the components set fordi in the following description or illustrated in the drawiugs. The 
invention is capable of other embodiments or of being practiced or carried out in various ways. 

10 Also, it is to be understood that the phraseology and terminology employed herein is for the 
purpose of description and should not be regarded as limiting. 

As such, those skilled in the art will appreciate that the conception, upon \\'bich this 
disclosure is based, may readily be utilized as a basis for the designing of oth^ structures, 
methods and systems for carrying out the several purposes of the present inveation. It is 

15 important, therefore, that the claims be regarded as including such equivalent constmctions 
insofer as they do not depart from the spirit and scope of the present invention. 

By way of introduction, principal intentions of the present invention are to: (1) provide 
security to mobile stations imdergoing data communications in a mobile data network 
iacluding security against attacks emanating from mobile stations (2) grade the networking 

20 service that a mobile station receives (3) provide security to a mobile data netwoiic from a 
competing operator or mobile users of a competing operator of another mobile data network, 
(4) r^aiTitfliri security or level of service while a mobile station roams from one serving node to 
another serving node or to another mobile network and (5) base security on information from 
external systems, e.g. fraud management systems, account ma n ag ement systems, charge and 

25 billing systems, operating ia coordination with a mobile data network. It should be noted that 
while the discussion herein is directed to public mobile cellular networks, particularly a GPRS 
network over a GSM mobile cellular network; the principles of the present invention may be 
adapted for use in, and provide benefit data communications ovct mobile cellular networks 
based on oihst tedmologies and standards such as CDMA, e.g. IS-95 or TDMA, e.g, IS-136. 

30 FurthOTQore, the principles of the present invention may be adapted for use in other wireless 
f \^tf\ networics, for example local wireless data networks based on lEHE 802. Ix, known as 
fi**; or^or cmy tunneling protocol in whidi each tunnel carries packets of one user or mers and 
in \s4ich the context of the tunnel is negotiated separately or as a preamble/header to the tunnel 
and in ^ch an intermediate device can read from the context being negotiated one or more 
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fields that can identity the user or users. The term "firewall poUcy" is defined as a stateful 
inspection of the payload of a data packet according to a predefined set of rules. The term 
"poUcy" is used herein to refer to any type of differentiated service provided to mobUe users 
such as a security policy, or a subscriber level poUcy. The tenn "processor" as used herein 

5 refers also to any "device" capable of performmg the method described, including but not 
limited to custom manufectured with for instance ASIC technologj'^The temi ' W includes 
any entity including a person or appUcation undergoing communication. 

The present invention provides two levels of poUcy: (a) a "context sensitive poUcy" in 
which the - creatioii/update/deletion of a protocol context is allowed based on identifiers of the 

10 protocol context. e.g. IMSI, MSISDN and/or APN; and (b) a "subscriber level poHcy". 
applying a poUcy based on the payload of the mobUe traffic. The foUowing is an example of 
applying a subscriber level poUcy, according to the teachings of the present invention. Two 
mobile users Alice and Bob are subscribers of the CeUavie cellular operator. AHce paid for a 
full set of Internet connectivity access &at allows access to the Internet with every available 

15 protocol (e.g., WAP, HTTP, SMTP, POPS, FTP. TBLNET ) Bob on the other hand bought 
access only for the WAP protocol. The Cellavie security department is required to enforce that 
Bob wiU be allowed to access only via WAP whDe AHce be allowed unUmited access. 
According to an embodiment of the present invention, the foUowing niles are used: 

1. source = Cellavie SGSN, destination = Cellavie GGSN, (IMSI - Alice or IMSI = Bob) 
20 -> action = accept 

2. soarce = *, destination = *, protocol - *, Context ^Alice 

-> action = accept 

25 3. source = *, destination = *, protocol = WAP, Context =Bob 
-> action = accept 

4. drop everything else 

30 Rule 1 is based on protocol context and aUows both AUce and Bob access with the GPRS 
system. Rules 2 and 3 discriminate the mobUe traffic based on the payload protocol. Rule 2 
appUes only for traffic from AHce while rule 3 appHes only to traffic from Bob. Rule 4 drops 
any network traffic diat did not match any of the previous rules. 

Since applying a different poHcy to each and every mobUe subswiber is virtuaUy 

35 impossible the present invention introduces a new concept caUed a profile. A profile identifies a 
grotjp of users requesting a service fix)m the system. For example, lets assume that Bob and 
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many other subscribers bought a conDecti\dty package called "Internet with WAP" and Alice 
and many others bought a connectivity package called "Internet Unlimited". During the context 
creation from Alice, Bob and any other mobile subscriber for that matter, the context is 
associated with a profile "Internet with WAP profile" or "Intemet Unlimited Profile" based on 
5 the subscriber connectivity package. The definition of profiles allows re-writing rule 2 and 3 
above as follows: 

2. source - *, destination = *, protocol = *, Context belongs to "Intemet unlimited profUe" 
-> action = accept 

10 3. source = *, destination = *, protocol = WAP, Context belongs to "Internet with WAP profHe" 
-> action — accept 

Referring now to the drawings. Figure 2b illustrates a secure mobile data netv^^ork 21, 
with context/payload sensitive security systems 201, according to an embodiment of the 

15 present invention, integrated into prior art mobile data network 10 as shown in Figure 1. 
Specifically, security system 201a is connected "in-line" betv\^een GPRS backbone 107 and 
public land mobile network (PLMN) 109. Security system 201a further includes gateway 
interface 203, a signal and data interface connected to border gateway 117 and operatively 
connected to gateway nodes, e.g. GGSN (not shown) in PLMN 109. Security system 201a 

20 further includes a serving interfece 205, operatively connected to serving nodes 105, e.g. 
SGSN. Secure mobile data network further includes conventional firewall 207 at the entry 
point to external IP network 113. 

Reference is now made to Figure 3 that illustrates a system and method providing 
security to mobile users in a mobOe data network, according to an embodiment of the present 

25 invention. A signaling packet 30 is represented including at least in part a protocol context, e.g. 
GTP context 302. Signaling packet 30 may also include signaling data 304, used for instance 
for managing mobile roaming. An encapsulated data packet 31 is shown, including a reference 
301 to protocol context 302, and a payload 303. Payload 303 is typically a data packet of 
standard protocol, e.g UDP or TCP/TP used in wired data networks. Bicapsulated data packet 

30 31 or signaling packet 30 is opened (step 313) and the contents are read by processor 305. If 
the packet is used for protocol negotiation (decision block 315), e.g. including signaling packet 
30, then a tunnel context is updated and stored (step 317) Typically the tunnel context includes 
identifies in protocol context 302 such as an access point name (APN), a mobile station 
telephone number (MSISDN) and/or a user identity/ SIM number (EMSI). One or more of these 

35 identifiers are stored (step 317) as a tunnel context in a local memory 307. A tuimel context is 
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maintained for each mobile station 101 "attached" to secure mobile data network 21. If there is 
a change in protocol context 302, for instance because mobUe station 101 has roamed to a 
different access point, the tunnel context for mobile station 101 is updated and subsequently 
stored (step 317) in memory 307. A processor 305 assigns (step 321) a tunnel profile to the 
5 tunnel context for each user/tunnel and stores the assigned tunnel profile in memory 307. 
Alternatively, either the tunnel context or the profile is stored in memory 307. Referring back 
to decision block 315, if the packet is data packet 31 then reference 301 to protocol context 302 
is read by processor 305. Processor retrieves &om memory 307, the tunnel profile associated 
wilh protocol context 302. Processor 305 then selects a poUcy (step 319) appropriate for the 
10 tunnel profile from service rule^oUcy storage 309 and appUes (step 325, 327 and/or 329 
depending on the poUcy selected. Referring back to our example, reference 301 referring to 
Alice is read by processor 305. "Ihtemet Unlimited" profile is retrieved (step 318) firom 
memory 307. An action "accept" is selected (step 319) to data packet 31. 

Typically, in decision block 315, iq>dating/storing (st^ 317) a tunnel context and/or 
15 assigning/updating (step 321) a profile are performed once for signal packet 30 and 
subsequently for each of data packets 30, fix>m the same tunnel, the corresponding profile is 
retrieved (step 318) and the appropriate poUcy is selected (step 319) and appUed (step 325, 327 
and/or 329), Le. action is takeiL 

At the end of data transmission, mobile station 101 for instance becomes inactive and 
20 the MSISDN is not available. The tunnel is consequently destroyed, the tunnel context and 
tunnel profile are optionally removed firom memory 307. Optionally, commands are sent out by 
security system 201 to appropriate serving node 105 and/or gateway nodes 111 to destroy the 
tunnel. Commands are sent out to other security systems 201 to destroy aU tunnels of mobile 
station 101. Otiier than applying (step 325) a security policy, the tunnel profile may specify 
25 other services such as applying (step 329) a virtual private network (VPN) or applying (step 
327) a quaUty of service poUcy in addition (step 325) the security poUcy step my invoke 
additional security actions, i.e. extended security, e.g. anti-virus. Other appHcable services (not 
shown) are intrusion detection and prevration, and Voice over Internet Protocol. 

Security system 201 includes an interface to an external database 311. Database 311 
30 preferably stores groups of identifiers of references to users, each group typicaUy associated 
with a tunnel profile. For instance, external database 311 is associated with an external 
authentication server, e.g. RADIUS, whidi provides an identifier or otherwise a reference to 
each authenticated user. 
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Security s^^stem 201 includes a management interface 331 operadvely connected to an 
external management system for querying stored infoimatiorL, e.g. tunnel context Security 
system 201 fiirtlier includes a memory mechanism 333, e.g. a memory bus for storing in 
mraiory 307 and service rule/policy storage 309. 
5 For payload 303 of standard protocol, e.g. IP or IPv6, a policy of conventional firev^^all 

207 is applied to payload 303. Optionally, different jBrewall policies are applied depending on 
the tunnel profile associated with encapsulating packet 31. 

Reference is now made to Figure 4, a flow diagram of a method, according to an 
embodiment of the present invention. Processor. 305 monitors (stq? 401) incoming 

1 0 encapsulated data packet 31 incbining through either serving interface 203'or gateway interface 
205. Processor 305 reads (step 403) reference 301 to protocol context 302 and determines (step 
405) a usCT identity based on one or more identifiers in the stored tunnel context where the 
context was stored in the way desaribed previously. Processor 305 compares the user identity 
with user identifiers in service rules sourced for instance in external database 311 associated 

15 with extOTial fiaud management systrais, account management systems, charge and billing 
systems and/or authentication servers. If the user identity corresponds to an unauthorized user 
(decision block 407), processor 305 determines (step 409) all tunnel contexts associated with 
the unauthorized user. Security system 201 sends commands (step 325) optionally to other 
security systems 201, to serving nodes 105 and/or gateway nodes 111 to tear down all existing 

20 and future tunnels to block the unauthorized user- 
Reference is now riiade to Figure 5. When a mobile station 101 roams fix>m one 
network GPRS backbone 107 to another network PLMN 109, serving node 105a, connected to 
network 107 and serving node 105b connected to PLMN 109 negotiate the roaming xising a 
mobility management protocol. Typically, the tunnel is transfered from serving node 105a to 

25 serving node 105b while main taining the same gateway node 111. Security system 201a 
transfers the tunnel contexts used for mobile station 101 to security systrai 201b. Security 
systCTi 201b allows data traffic only if the tunnel context corresponds to a tunnel context 
received from security system 201a. Security system 201 monitors the content of signaling 
packets prior to the actual handofT from serving node 105a to serving node 105b and is 

30 thCTefore aware that the handoff is imminent Therefore context/payload sensitive security 
system 201 provides a higjier level of security against for instance masquerading than prior art 
security system 200 that is only aware of the protocol context after the actual handoff has 
occurred. . 
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With respect to the above description then, it is to be realized that the relationships for 
the parts of the invention include variations in function and manner of operation, assembly and 
use, are deemed readily apparent and obvious to one skilled in the art, and all equivalent 
relationships to those iUustrated in the drawings and described in the specification are intended 
5 to be encompassed by the present invention- In particular the same invention can be appHed to 

other tunneling protocols than GTP. 

Therefore, the foregoing is considered as iUustradve only of the principles of the 
invention- Further, since numerous modifications and changes will readily occur to those 
skilled in the art. it is not desired to limit the invention to the exact construction and operation 
10 shown and described, and accordingly, all suitable modifications and equivalents may be 
resorted to, falling within die scope of flie invention. 

While the invention has been described with respect to a limited number of 
embodiments, it will be appreciated that many variations, modifications and other appUcations 
of the inveation may be made. 



